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Prelude 


Damian A. James Williamson 


This assessment requires you to investigate how social engineering can be used to 
conduct data breaches and relate the context to ECU (or a similar university 
environment) to identify potential security issues and propose mitigation strategies 


to counter these issues. 


In early June 2019, we heard in the news of a significant data breach that occurred at 
the Australian National University. There were several media reports that highlighted 
what had occurred, who the attackers were, and the consequences of the attack. 


ECU is not very different from ANU and is a potential target for a similar kind of 
attack as reported in the media. A popular approach for exploiting vulnerabilities is 
through social engineering. Identify potential avenues by which users of ECU’s IT 
systems/infrastructure could be exploited through social engineering. You are not 
required to interview any ECU staff, or conduct any social engineering yourself. 
Instead, only use information that are publicly available. This is what a potential 


attacker would also do in the first place. 
(Edith Cowan University, 2019) 


Provide mitigation strategies. 


Introduction 


The report was researched through the use of computer internet search, locating industry 
information, news and, research articles, and additionally, previous personal endeavour 
including fieldwork (Williamson, 2019a). The report provides consideration into the work of 
social engineering and risks in an ordinary environment and concerns with the possibility to 
provide mitigations. While there is limited opportunity to remove the threat of social 
engineering entirely we may work progressively to limit its reach within an organisation. 
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Implementations of software that may assist with the management of electronic social 
engineering attempts have been previously considered and are referenced. 


Background 

Social engineering has existed in various forms since the beginning of biblical history 
(Nathaniel, 2018). Using tactics to distract or innocently coerce a victim, to seem 
knowledgeable or an inside part of an organisation with an assumed confidant, social 
engineering intends to deliver value or access to information or resources for the attacker 
by deception. 


Social engineering can take on many forms. Perhaps the most common is regular spam 
emailing. Spam is any unsolicited bulk email received, which excludes anything that you 
have ever signed up for or offered consent to receiving, and any response to a spam email, 
including just opening it, may provide some information to an attacker. When an email is 
opened it may load pictures including blank pixels which through the act of loading identify 
the IP address, operating system and email client of the victim. Many spam emails directly 
request action, response or, information and the operation of the internet may make 
identifying the true origin or sender of spam very difficult as IP addresses are easily 
obfuscated or forged. 


Phishing emails are more specifically engineered appearing to be from a legitimate sender 
or organisation that the victim may already have an existing relationship with, and 
requesting a response tricks the user to providing the requested information. Often this 
involves fake websites appearing to be legitimate and an urgent or threatening request to 
update information or unlock an account. 


spear-phishing, like phishing, seeks to gather information from a victim using email as the 
instigator but is much more targeted to a few or even a single individual. Using specific 
knowledge, these emails are often compelling and more difficult for the average user to 
detect as fraudulent. 


Vishing is perhaps more commonplace than people may consider and involves the use of 
combinations of coercion, deception, and suggestion to gather information from a victim via 
telephone. If successful it is possible that the visher may call back on several occasions over 
time for further information. There are further techniques used in social engineering, 
including impersonation and smishing. 


All social engineering is a form of either deception or coercion. Over half of all cyber 
incidents are caused by social engineering (Muncaster, 2017). 


Recently, the Monash IVF group has been the subject of a cyber attack involving one of their 
servers and patients of the clinic have been receiving phishing emails. As the company 
investigates, it is clear that patients of the clinic have been receiving the fraudulent emails in 
response to legitimate emails that they have sent to the company, encouraging them to 
click on an attachment (Baker, 2019). Being a clinical provider, the company houses 
sensitive data, including patients name and date of birth details, and detailed medical 
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history. Monash IVF operates Australia wide and the attack is rated as very serious even 
though only a small number of patients are affected and Monash IVF has been working with 
Australian Cyber Security Centre (ACSC), Office of the Australian Information Commissioner, 
and industry regulators (Cunningham, 2019). 


Potential Security Issues 

Any University is not dissimilar to the example of ANU. The various types of Social 
Engineering can be targeted to specific user types. Users can be categorised into different 
groups, including standard users, privileged users and, public. In any organisation, we only 
make by the presumption that standard users and administrators exist at least. Varying level 
of system and service access provides varying risk and access to potential attack vectors. 


Public users may have login or access credentials for a company website or service system, 
or have a service provider maintain records of their details. It should be assumed that they 
are vulnerable to all types of social engineering attacks and any mitigation strategies put in 
effected. The collation of data through a combined method social engineering attack can be 
extensive and the risk to the company or service provider’s security cannot be 
underestimated. There should be no electronic access for public users unless there are 
explicit needs for public users and then all actions restricted and monitored. 


The use of privileged users is a security risk. All network operators should remove and 
restrict all privileged user accounts to be standard users, and the only privilege that exists is 
administrator privileged on a least unavoidably necessary basis meaning that there may be 
several tiers of administrator accounts for necessary administration tasks. 


In the case that a standard user access is breached, there should be no insecure operations 
available to the attacker, whereas if privileged users are used there will be some escalated 
privilege granting greater avoidable access into secured systems. Administrator accounts are 
never to be utilised, meaning there is no opportunity to breach privileged access or security. 


A public user is likely only to receive spam unless user details are already compromised. The 
standard risks of spam apply if receiving, opening or taking response action on a message. 
Any details gathered may be utilised to escalate the social engineering attack. It is suspected 
that organised entities collect large amounts of spam responses to enable more specific 
social engineering operations as can bee seen by the types of information purportedly 
available for illicit supply. 


Standard users and administrators alike are likely to receive spam, phishing, spear-phishing 
emails and vishing attacks. As described, the escalation of specificity of spam, phishing, 
spear-phishing emails allows more targeted social engineering opportunities and possibly 
the collection of more and more sensitive data. Vishing attacks can begin with any limited 
opportunity providing a telephone number and the name of an organisation. The 
information available in all attacks is down to the insecurity of the user. 
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The further result of poor handling of social engineering attacks can be the operation of an 
attack vector for the installation of viruses, trojans, or other malicious software. There is a 
security principle that operates that always makes the assumption that all data is breached 
and operates on the basis that nothing confidential is to be recorded, on the basis that it 
could otherwise be known. Even highly vetted administrators can be imperfect, disclosure 
mistakes are not entirely unheard of, and unauthorised access by any administrator is not 
entirely prevented and these together are the primary reasons for partitioned security 
inside of an organisation 


Social engineering allows the collection and collation of email addresses, can provide 
direction to false credential stealing portals, can provide information as to access methods 
and locations and, with insecure methods can capture cookie, session data and credential 
information. Further company secure information and credentials can also be stolen; the 
access to information with insecure staff is unlimited. 


In the event of email based social engineering attacks a specific objective initially of 
information gathering is operated as an email designed to solicit response. As the email is 
transmitted the information provided by the receiving email server is available to the 
sending server and can be recorded. Some email systems provide as the email waits in the 
inbox a receipt of inbox delivery may be generated and returned. Once the email is 
collected, any user side exploit could be leveraged and some type of malware installed. The 
act of opening or reading an email can trigger a further read receipt to be requested and 
sent providing origin and software information as it is generated and sent in a manner that 
is similar to that of an email. Opening the email also enables a further layer of potential 
vulnerabilities, and vectors for malware. Any embedded information including that which 
may be invisible can request and make a remote connection. Any sort of data can be 
replied, however the IP address and information about the email reading software 
requesting will be available to the attacker. Further, the reply may also include exploits or 
alternatively may not even provide anything visible. 


Responses to an email based social engineering attack also provide further information. It is 
reasonable to assume by the stage of reply you have likely already done the wrong thing, 
although it is impossible sometimes to discriminate between real and fraudulent emails 
without a detailed inspection or even assistance to discern what may be only hidden or very 
specific details to differentiate: Any further action after opening reveals additional data to 
the attacker. Any link may be tracked and include delivery of malware. Deleting the email on 
some email systems and in some conditions will provide the attacker with a receipt of 
deletion for the email. Any email reply reveals certainly information about the email reading 
and reply software you are using, and any information you have provided even 
unintentionally. All of this opens the social engineering attack vector further and does not 
lead necessarily to further attack in direct reply but does increase the knowledgeable exploit 
of the attacker. 
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Mitigation Strategies 

The primary methods of security are filtering (technology), obscurity (process), and ongoing 
education (technology). Education of users and members of the public is most important as 
security training provides insights into correct and safe operation of ITC technology. 
Administrators are further trained, and within keeping of security protocols their directions 
must be observed correctly, and instructions followed precisely. Methods of education may 
include providing correct and fully up to date procedure information and the training to 
read it, along with regular updates. Team meeting should also provide regular briefs and 
access to outside training should provide currency for industry standard. All employees are 
equally as important to educate the most. 


Filtering technology operates at many layers and provides to remove, restrict or, redirect 
any fraudulent emails that can be detected by various methods. The problem with this is 
very often legitimate emails are also caught and handled often in a manner where the user 
is unaware, unadvised or, uninterested resulting in a lack of communication or response on 
possibly necessary channels. The solution to this even in the present year with all of the 
advancements and improvements is to handle critical variable processes manually unless 
specific rules for managing actions are able to be provided to operate without error. 
Manually handling emails exposes risk but also prevent multi-million-dollar legitimate 
contract opportunities from being overlooked or significant business decision making 
information from not being available, which is why training and ongoing education is 
necessary. 


The ideals of obscurity are that not only are email addresses and communication points not 
public; they are also difficult to guess. Unlike computer systems, humans communicate 
using observable methods, such as speech and writing. If an email address is obscured it 
may only be a random string of characters, which is implemented as incoming email 
password security where you cannot send an email without knowing the password, i.e. 
email address. Telephone numbers may also in the modern-day be difficult to guess unless 
they have been provided. Public and private email systems can operate side by side and 
public email systems should only be available to specifically trained users within an 
organisation, and to the public needlessly to say that operate outside. 


Call answering scripts fend off against vishing where requests for information can only be 
channelled one way depending on the questions and answering. The use of public incoming 
lines should also be restricted to specifically trained employees. 


Invalid incoming email and spam RBL filtering + Desktop spam management are 
recommended solutions configurable on any decent email server easily. For desktop spam 
management any anti-malware suite that is user-operated for soam management is suitable 
for the purpose of assisting in filtering without the removal of valid emails. Other well- 
vetted criteria for the selection of anti-virus software and configuration used in defending 
against electronic social engineering attack exist and have been documented in a previous 
report in another Edith Cowen University subject (Williamson, 2019b). 
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Conclusion 

The threat of social engineering attack is ongoing so long as there is interaction with the 
public. Even if the organisation itself operates privately, the public users of the organisation 
have some information that could be attacked. 


The risk is managed through ongoing user and public education, appropriate software, and 
configurations for filtering for filtering and rejection of communications, and processes to 
manage communications. 


While the risk of succumbing to social engineering attack can be alleviated substantially 
overall, some risk remains evident. 


There is the possibility that future technology may never improve over manually, and ina 
well-trained manner, handling communications albeit we will see that technology will try. 
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